Login
[x]
Log in using an account from:
Fedora Account System
Red Hat Associate
Red Hat Customer
Or login using a Red Hat Bugzilla account
Forgot Password
Login:
Hide Forgot
Create an Account
Red Hat Bugzilla – Attachment 148144 Details for
Bug 228902
SELinux: fine grained enforcement of sysfs objects
[?]
New
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
|
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh83 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
This site requires JavaScript to be enabled to function correctly, please enable it.
[patch]
sysfs-sde early work
sysfs-sde.patch (text/plain), 7.72 KB, created by
Eric Paris
on 2007-02-15 20:24:50 UTC
(
hide
)
Description:
sysfs-sde early work
Filename:
MIME Type:
Creator:
Eric Paris
Created:
2007-02-15 20:24:50 UTC
Size:
7.72 KB
patch
obsolete
>diff -uprN -x '*.o' -x '*.ko' -x '*.s' -x '*.mod.c' -x '.*' -x autoconf.h -x compile.h -x version.h ./linux-2.6.16-rc2/fs/sysfs/dir.c ./linux-2.6.16-rc2-sde/fs/sysfs/dir.c >--- ./linux-2.6.16-rc2/fs/sysfs/dir.c 2006-02-08 19:17:03.000000000 -0500 >+++ ./linux-2.6.16-rc2-sde/fs/sysfs/dir.c 2006-02-09 09:42:19.000000000 -0500 >@@ -9,6 +9,7 @@ > #include <linux/module.h> > #include <linux/kobject.h> > #include <linux/namei.h> >+#include <linux/security.h> > #include "sysfs.h" > > DECLARE_RWSEM(sysfs_rename_sem); >@@ -46,6 +47,7 @@ static struct sysfs_dirent * sysfs_new_d > INIT_LIST_HEAD(&sd->s_children); > list_add(&sd->s_sibling, &parent_sd->s_children); > sd->s_element = element; >+ sd->s_secid = SECID_NULL; > > return sd; > } >diff -uprN -x '*.o' -x '*.ko' -x '*.s' -x '*.mod.c' -x '.*' -x autoconf.h -x compile.h -x version.h ./linux-2.6.16-rc2/fs/sysfs/inode.c ./linux-2.6.16-rc2-sde/fs/sysfs/inode.c >--- ./linux-2.6.16-rc2/fs/sysfs/inode.c 2006-02-08 19:17:03.000000000 -0500 >+++ ./linux-2.6.16-rc2-sde/fs/sysfs/inode.c 2006-02-09 09:43:01.000000000 -0500 >@@ -12,6 +12,7 @@ > #include <linux/namei.h> > #include <linux/backing-dev.h> > #include <linux/capability.h> >+#include <linux/security.h> > #include "sysfs.h" > > extern struct super_block * sysfs_sb; >@@ -29,6 +30,7 @@ static struct backing_dev_info sysfs_bac > > static struct inode_operations sysfs_inode_operations ={ > .setattr = sysfs_setattr, >+ .setxattr = sysfs_setxattr, > }; > > int sysfs_setattr(struct dentry * dentry, struct iattr * iattr) >@@ -92,6 +94,23 @@ int sysfs_setattr(struct dentry * dentry > return error; > } > >+int sysfs_setxattr(struct dentry *dentry, const char *name, const void *value, >+ size_t size, int flags) >+{ >+ struct sysfs_dirent * sd = dentry->d_fsdata; >+ int error; >+ u32 secid; >+ >+ if (!sd) >+ return -EINVAL; >+ >+ error = security_xattr_to_secid(name, value, size, &secid); >+ if (!error) >+ sd->s_secid = secid; >+ >+ return error; >+} >+ > static inline void set_default_inode_attr(struct inode * inode, mode_t mode) > { > inode->i_mode = mode; >@@ -128,6 +147,9 @@ struct inode * sysfs_new_inode(mode_t mo > set_inode_attr(inode, sd->s_iattr); > } else > set_default_inode_attr(inode, mode); >+ >+ if (sd->s_secid != SECID_NULL) >+ security_inode_setsecid(inode, sd->s_secid); > } > return inode; > } >diff -uprN -x '*.o' -x '*.ko' -x '*.s' -x '*.mod.c' -x '.*' -x autoconf.h -x compile.h -x version.h ./linux-2.6.16-rc2/fs/sysfs/sysfs.h ./linux-2.6.16-rc2-sde/fs/sysfs/sysfs.h >--- ./linux-2.6.16-rc2/fs/sysfs/sysfs.h 2006-01-02 22:21:10.000000000 -0500 >+++ ./linux-2.6.16-rc2-sde/fs/sysfs/sysfs.h 2006-02-09 09:42:19.000000000 -0500 >@@ -17,6 +17,8 @@ extern void sysfs_remove_subdir(struct d > extern const unsigned char * sysfs_get_name(struct sysfs_dirent *sd); > extern void sysfs_drop_dentry(struct sysfs_dirent *sd, struct dentry *parent); > extern int sysfs_setattr(struct dentry *dentry, struct iattr *iattr); >+extern int sysfs_setxattr(struct dentry *dentry, const char *name, >+ const void *value, size_t size, int flags); > > extern struct rw_semaphore sysfs_rename_sem; > extern struct super_block * sysfs_sb; >diff -uprN -x '*.o' -x '*.ko' -x '*.s' -x '*.mod.c' -x '.*' -x autoconf.h -x compile.h -x version.h ./linux-2.6.16-rc2/include/linux/security.h ./linux-2.6.16-rc2-sde/include/linux/security.h >--- ./linux-2.6.16-rc2/include/linux/security.h 2006-02-08 19:17:10.000000000 -0500 >+++ ./linux-2.6.16-rc2-sde/include/linux/security.h 2006-02-09 09:42:19.000000000 -0500 >@@ -94,6 +94,9 @@ struct swap_info_struct; > #define LSM_UNSAFE_PTRACE 2 > #define LSM_UNSAFE_PTRACE_CAP 4 > >+/* {get,set}secid special value */ >+#define SECID_NULL 0x00000000 /* unspecified security ID */ >+ > #ifdef CONFIG_SECURITY > > /** >@@ -1171,6 +1174,11 @@ struct security_operations { > int (*inode_getsecurity)(struct inode *inode, const char *name, void *buffer, size_t size, int err); > int (*inode_setsecurity)(struct inode *inode, const char *name, const void *value, size_t size, int flags); > int (*inode_listsecurity)(struct inode *inode, char *buffer, size_t buffer_size); >+ int (*inode_getsecid)(struct inode *inode, u32 *secid); >+ int (*inode_setsecid)(struct inode *inode, u32 secid); >+ >+ int (*xattr_to_secid) (const char *name, const void *value, size_t size, >+ u32 *secid); > > int (*file_permission) (struct file * file, int mask); > int (*file_alloc_security) (struct file * file); >@@ -1699,6 +1707,26 @@ static inline int security_inode_listsec > return security_ops->inode_listsecurity(inode, buffer, buffer_size); > } > >+static inline int security_inode_getsecid(struct inode *inode, u32 *secid) >+{ >+ if (unlikely (IS_PRIVATE (inode))) >+ return -EOPNOTSUPP; >+ return security_ops->inode_getsecid(inode, secid); >+} >+ >+static inline int security_inode_setsecid(struct inode *inode, u32 secid) >+{ >+ if (unlikely (IS_PRIVATE (inode))) >+ return -EOPNOTSUPP; >+ return security_ops->inode_setsecid(inode, secid); >+} >+ >+static inline int security_xattr_to_secid(const char *name, const char *value, >+ size_t size, u32 *secid) >+{ >+ return security_ops->xattr_to_secid(name, value, size, secid); >+} >+ > static inline int security_file_permission (struct file *file, int mask) > { > return security_ops->file_permission (file, mask); >@@ -2335,6 +2363,22 @@ static inline int security_inode_listsec > return 0; > } > >+static inline int security_inode_getsecid(struct inode *inode, u32 *secid) >+{ >+ return -EOPNOTSUPP; >+} >+ >+static inline int security_inode_setsecid(struct inode *inode, u32 secid) >+{ >+ return -EOPNOTSUPP; >+} >+ >+static inline int security_xattr_to_secid(const char *name, const char *value, >+ size_t size, u32 *secid) >+{ >+ return -EOPNOTSUPP; >+} >+ > static inline int security_file_permission (struct file *file, int mask) > { > return 0; >diff -uprN -x '*.o' -x '*.ko' -x '*.s' -x '*.mod.c' -x '.*' -x autoconf.h -x compile.h -x version.h ./linux-2.6.16-rc2/include/linux/sysfs.h ./linux-2.6.16-rc2-sde/include/linux/sysfs.h >--- ./linux-2.6.16-rc2/include/linux/sysfs.h 2006-01-02 22:21:10.000000000 -0500 >+++ ./linux-2.6.16-rc2-sde/include/linux/sysfs.h 2006-02-09 09:42:19.000000000 -0500 >@@ -74,6 +74,7 @@ struct sysfs_dirent { > umode_t s_mode; > struct dentry * s_dentry; > struct iattr * s_iattr; >+ u32 s_secid; > }; > > #define SYSFS_ROOT 0x0001 >diff -uprN -x '*.o' -x '*.ko' -x '*.s' -x '*.mod.c' -x '.*' -x autoconf.h -x compile.h -x version.h ./linux-2.6.16-rc2/security/selinux/hooks.c ./linux-2.6.16-rc2-sde/security/selinux/hooks.c >--- ./linux-2.6.16-rc2/security/selinux/hooks.c 2006-02-08 19:17:14.000000000 -0500 >+++ ./linux-2.6.16-rc2-sde/security/selinux/hooks.c 2006-02-09 10:39:35.000000000 -0500 >@@ -2290,6 +2290,31 @@ static int selinux_inode_listsecurity(st > return len; > } > >+static int selinux_inode_getsecid(struct inode *inode, u32 *secid) >+{ >+ struct inode_security_struct *isec = inode->i_security; >+ *secid = isec->sid; >+ >+ return 0; >+} >+ >+static int selinux_inode_setsecid(struct inode *inode, u32 secid) >+{ >+ return inode_security_set_sid(inode, secid); >+} >+ >+static int selinux_xattr_to_secid(const char *name, const void *value, >+ size_t size, u32 *secid) >+{ >+ if (strcmp(name, XATTR_NAME_SELINUX)) >+ return -EOPNOTSUPP; >+ >+ if (!value || !size) >+ return -EACCES; >+ >+ return security_context_to_sid((void*)value, size, secid); >+} >+ > /* file security operations */ > > static int selinux_file_permission(struct file *file, int mask) >@@ -4275,6 +4300,10 @@ static struct security_operations selinu > .inode_getsecurity = selinux_inode_getsecurity, > .inode_setsecurity = selinux_inode_setsecurity, > .inode_listsecurity = selinux_inode_listsecurity, >+ .inode_getsecid = selinux_inode_getsecid, >+ .inode_setsecid = selinux_inode_setsecid, >+ >+ .xattr_to_secid = selinux_xattr_to_secid, > > .file_permission = selinux_file_permission, > .file_alloc_security = selinux_file_alloc_security,
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=148144">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 228902
:
148143
| 148144